Bug 1592957
Summary: | Ansible remediation of default umask in login.defs sets incorrect value | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Shawn K. O'Shea <shawn> | |
Component: | scap-security-guide | Assignee: | Watson Yuuma Sato <wsato> | |
Status: | CLOSED ERRATA | QA Contact: | Marek Haicman <mhaicman> | |
Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> | |
Priority: | high | |||
Version: | 7.5 | CC: | jvilicic, matyc, mhaicman, mjahoda, mpreisle, mthacker, openscap-maint | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | scap-security-guide-0.1.40-5.el7 | Doc Type: | Bug Fix | |
Doc Text: |
Prior to this update, the Extensible Configuration Checklist Description Format (XCCDF) benchmark contained the octal umask value for the "/etc/login.defs" file converted to the decimal format. Consequently, Ansible remediations against Red Hat Enterprise Linux 7 incorrectly set the "accounts_umask_etc_login_defs" value. The umask value format in the XCCDF benchmark has been fixed, the umask entry now correctly passes through.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1601931 (view as bug list) | Environment: | ||
Last Closed: | 2018-10-30 11:46:49 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1601931 |
Description
Shawn K. O'Shea
2018-06-19 16:39:32 UTC
Hello Engineering Team, 1) As of now, OpenSCAP remediation by generating Ansible Playbooks does not work correctly if it has this bug. The Red Hat customer in the case attached to this bug (who actually filed the bug) is asking if this bug can be prioritized. Would a z-stream release be possible? 2) This is the same customer from: a) "Ansible remediation setting SELinux policy fails" https://bugzilla.redhat.com/show_bug.cgi?id=1592970 b) "Ansible remediation of various dconf settings contains typo" https://bugzilla.redhat.com/show_bug.cgi?id=1592887 Take care, Jo Vilicic irc: jo -- jvilicic TSE -- IdM -- 919-754-4951 The issue has fix upstream: https://github.com/OpenSCAP/scap-security-guide/pull/3046 Another related patch: https://github.com/OpenSCAP/scap-security-guide/pull/3050 Verified on version scap-security-guide-0.1.40-5.el7 Tested with SSG Test Suite, on the commit commit 2dc31c16cc6aa961d1e93e17b0f08ab83a82abfd With command line arguments: --libvirt qemu:///system ssg-test-suite-rhel7 --xccdf-id scap_org.open-scap_cref_ssg-rhel7-xccdf-1.2.xml --remediate-using ansible rule_accounts_umask_etc_login_defs DataStream used (md5) : 2ea1bcda4a87b210d0eb9d82f248db8b ./rhel7_753.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-16-2115/test_suite.log INFO - xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script super_compliance.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK ERROR - Script wrong_configuration.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui found issue: ERROR - Scan has exited with return code 0, instead of expected 2 during stage initial ERROR - The initial scan failed for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'. INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK ERROR - Scan has exited with return code 2, instead of expected 0 during stage final ERROR - The check after remediation failed for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs'. DataStream used (md5) : 1b70337c8805d0107eadbaa89bc11ad5 ./0.1.40-5.rhel7.ds.xml Setting console output to log level INFO INFO - The base image option has not been specified, choosing libvirt-based test environment. INFO - Logging into /home/dahaic/RH/git/upstream/dahaic/scap-security-guide/tests/logs/rule-custom-2018-09-16-2117/test_suite.log INFO - xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - Script correct_value.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script super_compliance.pass.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - Script super_compliance.pass.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script wrong_configuration.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - Script wrong_configuration.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_ospp OK INFO - Script wrong_value.fail.sh using profile xccdf_org.ssgproject.content_profile_nist-800-171-cui OK Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3308 |